The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
How Exclaimer Made SecurityScorecard a Signature Provider
The Challenge
Imagine signing your name 1 billion times every month. That is a typical month for Exclaimer, a SaaS that automates professional email signatures that are consistent throughout a company. Exclaimer creates a unified brand for its business clients and helps them comply with information security rules around the world.
To create the signatures, the software pulls contact details out of email directories by well-known email providers. When creating so many signatures, the system must filter out personal data that needs protection.
“We do that for millions of users and billions of emails. So, we have a strong responsibility for customers’ information security because we process all of their emails in real-time, and we’re a growing 300-plus user organization ourselves. We also have a responsibility to them to protect our own internal data,” said Matt Hodge, Director of Technical Operations, Exclaimer.
With so much information, Exclaimer wanted to get a better idea of its cybersecurity posture to ensure it was doing what was necessary to protect the personal data it collects. The company also has customer information stored on other partner platforms. Before using SecurityScorecard, Exclaimer could not check the cybersecurity posture of those companies.
Exclaimer began using SecurityScorecard based on a recommendation by another user. It is part of an effort to give the company a real-world analysis of its cybersecurity posture.
The Solution
Exclaimer learned about SecurityScorecard and the area of cybersecurity ratings from a customer. As a SaaS company, security is prioritized throughout Exclaimer’s process. And so, Exclaimer began using the ratings to assess its cybersecurity posture. Now, as it develops its solutions, Exclaimer uses the ratings information they get from SecurityScorecard to inform its security needs.
In particular, SecurityScorecard updates help Exclaimer’s developers keep up with changing best practices. “We use SecurityScorecard to get (a) really good, in-depth view of anything that’s changed that we aren’t aware of,” Hodge stated.
Additionally, Exclaimer began to assess the cybersecurity posture of the vendors with whom it stores customer information. With SecurityScorecard, Exclaimer could quantify and track the cybersecurity posture of its partners and ensure they meet Exclaimer’s standards. This gives the company confidence in knowing that data is being protected.
Combined with other data, Exclaimer uses cyber ratings to meet its required cybersecurity policy. It gives the company an objective set of measurements as part of its ISO/IEC 27001 standard. The company uses the scoring with other available metrics to assess the risk and security of its systems.
“We have to demonstrate how (we perform) our supplier assessment program. Key to that is the likelihood of there being a breach essentially, which is the main reason why we use (SecurityScorecard),” Hodge continued. “An ISO auditor recommended that we use Security Scorecard so we could access real-world analytics.”
– Matt Hodge, Director of Technical Operations, Exclaimer
Highlights
- Measures cybersecurity for new solutions throughout the product development life cycle.
- Builds a portfolio of vendors and related companies that quantifies and tracks the cybersecurity posture of other companies.
- Plays a role in quantifying their own cybersecurity posture to achieve required certification.
“SecurityScorecard offers us that kind of real-world view of a vendor’s security platform,” Hodge said. “What is the likelihood of them having a breach based on how secure (they are) and how well will they act on security across their estate?”
– Matt Hodge, Director of Technical Operations, Exclaimer
The Results
Exclaimer has created a portfolio of 50 related companies (vendors, competitors, potential acquisitions, etc.) that it tracks to assess the quality of its cybersecurity platforms. Although the company has not yet needed to drop a vendor due to poor cybersecurity posture, it has the data necessary to do so, if required.
- SecurityScorecard also provides Exclaimer with updates on best practices that it can then integrate with its own product development. “We know about that change ahead of time, because SecurityScorecard has told us during a weighting change what is going to happen,” Hodge highlighted. “We normally build that into one or more processes of vulnerability management.”
- Exclaimer also uses the scores to meet its ISO standards and stay consistent with its required cybersecurity policies. “The biggest new thing is the integration with our ISO policies,” Hodge revealed. “It turned from a nice-to-have that we were looking at on the side to something that was very important and built out our process into something more mature. This has been a good change. Rather than being a curio, and something that we were running from an infosec platform perspective, it became something that the business then was using to help make decisions from a company acquisitions perspective.”
“I think it’s really useful to be able to see what (third parties) say they do on their website and in the security policies versus what they actually are doing,” Hodge said. “It’s really good to see that on the platform.”
– Matt Hodge, Director of Technical Operations, Exclaimer